Symantec Retracts Android Malware Claims to Align With Lookout

After announcing the discovery of the most widespread piece of Android malware, Android.Counterclank, Symantec has retracted its claim to align with rival Lookout's more muted assessment.

It's been a rough week for Symantec. After announcing the discovery of the most widespread piece of Android malware, Android.Counterclank, Symantec has retracted its claim to align with rival Lookout's more muted assessment.

Last Friday morning, Symantec announced it had discovered a new Trojan packaged within 13 free games, with 1-5 million downloads each. But by Friday night, Lookout Mobile undermined Symantec's alarming assessment saying Counterclank was an aggressive ad network rather than anything malicious.

Days later, amidst criticism for fearmongering and false positives, Symantec revised its claim.

"When classifying applications, our focus is on whether users want to be informed of the application's behavior, allowing them to make a more informed choice regarding whether to install it," Symantec wrote in a rather sheepish blog post on Monday.

So should you be worried about Counterclank?The mobile threat Android.Counterclank (or Apperhand SDK) isn't malware in the traditional sense, both vendors agree, but rather an aggressive ad network that redirects a user's search inquiries to another website, which in turn generates revenue for the maker of Counterclank. As Lookout put it, it "pushes the lines of privacy...while this is not malware, we do think that consumers should take it seriously," the startup wrote in a blog post.

Counterclank is an SDK that developpers drop into their apps to monetize them. It contains code that can modify your homepage, place search icons on the mobile desktop, add bookmarks without your knowledge, and push out ads through the notifications bar. It's probably not something most Android users want on their devices though it can't be classified as "malware." The only way to remove it is to remove the app.

Malware, Threat: Potato, Po-tah-toe?Before you judge Symantec's early trigger pulling, Roger Thompson, chief emerging threats researcher at ICSA Labs, said it was an especially easy mistake for Symantec to make: last June Symantec discovered an early iteration of Counterclank called Tonclank, that was found to be downloading more information than users had agreed to (consequently those apps were removed from the Android Market).

"The whole ad thing is a slippery slope," Thompson told me. "The reason why everything is free is because of ad revenue; almost every free app you see has an ad-serving platform."

"It was a bit alarmist of them, but malware authors are increasingly using ad networks to distribute malware. It's called ad poisoning," said Alan Goode, a UK consultant in infosec and mobile security.

"Where we sympathize is that poisoned ad networks are an increasing vector for distributing Trojans."

Google's responseHere's what worries me more. When Symantec asked Google to remove Counterclank from the Android Market, Google replied saying the apps met their Terms of Service. As such, you can still find many of the apps up on the Android Market—you'll just have to read user reviews.

"Due to the combined behavior of the applications, negative feedback from users who installed the applications, and the fact that previous applications (Android.Tonclank) using this code were initially suspended from the Google Market, we chose to notify users of Counterclank," Symantec wrote.

"We expect in the future there may be many similar situations where we will inform users about an application, but the application will remain in the Google Android Market."

Sara Yin is a junior analyst in the Software, Internet, and Networking group at PCmag.com, pouring most of her energy into app testing and security matters at Security Watch with Neil Rubenking. She lies awake at night pondering the state of mobile security (half-true).
Prior to joining PCMag.com, Sara spent five years reporting for publications in New York City (Huffington Post), Hong Kong (South China Morning Post), and Singapore (Campaign Asia, Men's Health).
Follow her on Twitter at @SecurityWatch and @sarapyin, or contact her the...
More »